hojztuh
Reputation: 13
What is difference of the two lengths in pcap's packet header?
Here is the structure of the packet header in pcap:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire)*/
};
I wonder what is the real difference between caplen and len? And where are they used?
Upvotes: 0
Views: 780
Answers (1)
Steffen Ullrich
Reputation: 123320
len is the actual length of the packet on the wire. caplen is the length which is captured and thus present in the pcap file. caplen can be the same but also smaller than len.
How many bytes of a packet will be captured can be specified for example in tcpdump with -s size. While on many system tcpdump will capture up to 64k by default for example on OpenBSD it will only capture 116 bytes by default.
Upvotes: 1
Related Questions
- pcap struct pcap_pkthdr len vs caplen
- Why does UDP have a length field in the header and TCP does not?
- pointer to packet len in libpcap
- Calculating TCP Header Length?
- Understanding pcap packet header
- Packet length mismatch while using libpcap
- Read pcap header length field with python
- pcap packet length values seem incorrect
- collect packet length in pcap file
- pcap why always packets of 8 bytes... why?